xref: /linux/security/apparmor/include/policy_ns.h (revision e5c86679d5e864947a52fb31e45a425dea3e7fa9) 
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor policy definitions.
5  *
6  * Copyright (C) 1998-2008 Novell/SUSE
7  * Copyright 2009-2017 Canonical Ltd.
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as
11  * published by the Free Software Foundation, version 2 of the
12  * License.
13  */
14 
15 #ifndef __AA_NAMESPACE_H
16 #define __AA_NAMESPACE_H
17 
18 #include <linux/kref.h>
19 
20 #include "apparmor.h"
21 #include "apparmorfs.h"
22 #include "policy.h"
23 
24 
25 /* struct aa_ns_acct - accounting of profiles in namespace
26  * @max_size: maximum space allowed for all profiles in namespace
27  * @max_count: maximum number of profiles that can be in this namespace
28  * @size: current size of profiles
29  * @count: current count of profiles (includes null profiles)
30  */
31 struct aa_ns_acct {
32 	int max_size;
33 	int max_count;
34 	int size;
35 	int count;
36 };
37 
38 /* struct aa_ns - namespace for a set of profiles
39  * @base: common policy
40  * @parent: parent of namespace
41  * @lock: lock for modifying the object
42  * @acct: accounting for the namespace
43  * @unconfined: special unconfined profile for the namespace
44  * @sub_ns: list of namespaces under the current namespace.
45  * @uniq_null: uniq value used for null learning profiles
46  * @uniq_id: a unique id count for the profiles in the namespace
47  * @level: level of ns within the tree hierarchy
48  * @dents: dentries for the namespaces file entries in apparmorfs
49  *
50  * An aa_ns defines the set profiles that are searched to determine which
51  * profile to attach to a task.  Profiles can not be shared between aa_ns
52  * and profile names within a namespace are guaranteed to be unique.  When
53  * profiles in separate namespaces have the same name they are NOT considered
54  * to be equivalent.
55  *
56  * Namespaces are hierarchical and only namespaces and profiles below the
57  * current namespace are visible.
58  *
59  * Namespace names must be unique and can not contain the characters :/\0
60  */
61 struct aa_ns {
62 	struct aa_policy base;
63 	struct aa_ns *parent;
64 	struct mutex lock;
65 	struct aa_ns_acct acct;
66 	struct aa_profile *unconfined;
67 	struct list_head sub_ns;
68 	atomic_t uniq_null;
69 	long uniq_id;
70 	int level;
71 
72 	struct dentry *dents[AAFS_NS_SIZEOF];
73 };
74 
75 extern struct aa_ns *root_ns;
76 
77 extern const char *aa_hidden_ns_name;
78 
79 bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
80 const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
81 void aa_free_ns(struct aa_ns *ns);
82 int aa_alloc_root_ns(void);
83 void aa_free_root_ns(void);
84 void aa_free_ns_kref(struct kref *kref);
85 
86 struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name);
87 struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n);
88 struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
89 				     struct dentry *dir);
90 struct aa_ns *aa_prepare_ns(struct aa_ns *root, const char *name);
91 void __aa_remove_ns(struct aa_ns *ns);
92 
93 static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
94 {
95 	return rcu_dereference_protected(p->parent,
96 					 mutex_is_locked(&p->ns->lock));
97 }
98 
99 /**
100  * aa_get_ns - increment references count on @ns
101  * @ns: namespace to increment reference count of (MAYBE NULL)
102  *
103  * Returns: pointer to @ns, if @ns is NULL returns NULL
104  * Requires: @ns must be held with valid refcount when called
105  */
106 static inline struct aa_ns *aa_get_ns(struct aa_ns *ns)
107 {
108 	if (ns)
109 		aa_get_profile(ns->unconfined);
110 
111 	return ns;
112 }
113 
114 /**
115  * aa_put_ns - decrement refcount on @ns
116  * @ns: namespace to put reference of
117  *
118  * Decrement reference count of @ns and if no longer in use free it
119  */
120 static inline void aa_put_ns(struct aa_ns *ns)
121 {
122 	if (ns)
123 		aa_put_profile(ns->unconfined);
124 }
125 
126 /**
127  * __aa_findn_ns - find a namespace on a list by @name
128  * @head: list to search for namespace on  (NOT NULL)
129  * @name: name of namespace to look for  (NOT NULL)
130  * @n: length of @name
131  * Returns: unrefcounted namespace
132  *
133  * Requires: rcu_read_lock be held
134  */
135 static inline struct aa_ns *__aa_findn_ns(struct list_head *head,
136 					  const char *name, size_t n)
137 {
138 	return (struct aa_ns *)__policy_strn_find(head, name, n);
139 }
140 
141 static inline struct aa_ns *__aa_find_ns(struct list_head *head,
142 					 const char *name)
143 {
144 	return __aa_findn_ns(head, name, strlen(name));
145 }
146 
147 #endif /* AA_NAMESPACE_H */
148